Built-in Policy Release 2490210e (#1509)

Co-authored-by: Azure Policy Bot <azgovpolicy@microsoft.com>

Author: robga

built-in-policies/policyDefinitions/App Service/WebApp_Slot_SshEnabled_Audit.json

@@ -0,0 +1,58 @@
+{
+  "properties": {
+    "displayName": "App Service app slots should disable SSH",
+    "policyType": "BuiltIn",
+    "mode": "Indexed",
+    "description": "Azure App Service allows you to open an SSH session to a container running in the service. This feature should be disabled to ensure that SSH is not inadvertently left open on App Service apps, reducing the risk of unauthorized access. Learn more at: https://aka.ms/app-service-ssh",
+    "metadata": {
+      "version": "1.0.0",
+      "category": "App Service"
+    },
+    "version": "1.0.0",
+    "parameters": {
+      "effect": {
+        "type": "String",
+        "metadata": {
+          "displayName": "Effect",
+          "description": "Enable or disable the execution of the policy"
+        },
+        "allowedValues": [
+          "Audit",
+          "Deny",
+          "Disabled"
+        ],
+        "defaultValue": "Audit"
+      }
+    },
+    "policyRule": {
+      "if": {
+        "allOf": [
+          {
+            "field": "type",
+            "equals": "Microsoft.Web/sites/slots"
+          },
+          {
+            "anyOf": [
+              {
+                "field": "Microsoft.Web/sites/slots/sshEnabled",
+                "exists": "false"
+              },
+              {
+                "field": "Microsoft.Web/sites/slots/sshEnabled",
+                "notEquals": "false"
+              }
+            ]
+          }
+        ]
+      },
+      "then": {
+        "effect": "[parameters('effect')]"
+      }
+    },
+    "versions": [
+      "1.0.0"
+    ]
+  },
+  "id": "/providers/Microsoft.Authorization/policyDefinitions/a88d589f-2b09-4b50-8998-9a4e71d7b746",
+  "name": "a88d589f-2b09-4b50-8998-9a4e71d7b746"
+}

built-in-policies/policyDefinitions/App Service/WebApp_SshEnabled_Audit.json

@@ -0,0 +1,58 @@
+{
+  "properties": {
+    "displayName": "App Service apps should disable SSH",
+    "policyType": "BuiltIn",
+    "mode": "Indexed",
+    "description": "Azure App Service allows you to open an SSH session to a container running in the service. This feature should be disabled to ensure that SSH is not inadvertently left open on App Service apps, reducing the risk of unauthorized access. Learn more at: https://aka.ms/app-service-ssh",
+    "metadata": {
+      "version": "1.0.0",
+      "category": "App Service"
+    },
+    "version": "1.0.0",
+    "parameters": {
+      "effect": {
+        "type": "String",
+        "metadata": {
+          "displayName": "Effect",
+          "description": "Enable or disable the execution of the policy"
+        },
+        "allowedValues": [
+          "Audit",
+          "Deny",
+          "Disabled"
+        ],
+        "defaultValue": "Audit"
+      }
+    },
+    "policyRule": {
+      "if": {
+        "allOf": [
+          {
+            "field": "type",
+            "equals": "Microsoft.Web/sites"
+          },
+          {
+            "anyOf": [
+              {
+                "field": "Microsoft.Web/sites/sshEnabled",
+                "exists": "false"
+              },
+              {
+                "field": "Microsoft.Web/sites/sshEnabled",
+                "notEquals": "false"
+              }
+            ]
+          }
+        ]
+      },
+      "then": {
+        "effect": "[parameters('effect')]"
+      }
+    },
+    "versions": [
+      "1.0.0"
+    ]
+  },
+  "id": "/providers/Microsoft.Authorization/policyDefinitions/25255ddf-ef4f-4283-975a-5590ad111bba",
+  "name": "25255ddf-ef4f-4283-975a-5590ad111bba"
+}

built-in-policies/policyDefinitions/Azure Government/Kubernetes/CannotEditIndividualNodes.json

@@ -1,15 +1,14 @@
 {
   "properties": {
-    "displayName": "[Preview]: Cannot Edit Individual Nodes",
+    "displayName": "Cannot Edit Individual Nodes",
     "policyType": "BuiltIn",
     "mode": "Microsoft.Kubernetes.Data",
     "description": "Cannot Edit Individual Nodes. Users should not edit individual nodes. Please edit node pools. Modifying individual nodes can lead to inconsistent settings, operational challenges, and potential security risks.",
     "metadata": {
-      "version": "1.2.0-preview",
-      "category": "Kubernetes",
-      "preview": true
+      "version": "1.2.1",
+      "category": "Kubernetes"
     },
-    "version": "1.2.0-preview",
+    "version": "1.2.1",
     "parameters": {
       "source": {
         "type": "String",
@@ -181,6 +180,7 @@
       }
     },
     "versions": [
+      "1.2.1",
       "1.2.0-PREVIEW",
       "1.1.0-PREVIEW",
       "1.0.4-PREVIEW",

built-in-policies/policyDefinitions/Azure Government/Kubernetes/ContainerEnforcePreStopHook.json

@@ -1,15 +1,14 @@
 {
   "properties": {
-    "displayName": "[Preview]: Kubernetes cluster container images must include the preStop hook",
+    "displayName": "Kubernetes cluster container images must include the preStop hook",
     "policyType": "BuiltIn",
     "mode": "Microsoft.Kubernetes.Data",
     "description": "Requires that container images include a preStop hook to gracefully terminate processes during pod shutdowns.",
     "metadata": {
-      "version": "1.1.0-preview",
-      "category": "Kubernetes",
-      "preview": true
+      "version": "1.1.1",
+      "category": "Kubernetes"
     },
-    "version": "1.1.0-preview",
+    "version": "1.1.1",
     "parameters": {
       "source": {
         "type": "String",
@@ -155,6 +154,7 @@
       }
     },
     "versions": [
+      "1.1.1",
       "1.1.0-PREVIEW",
       "1.0.0-PREVIEW"
     ]

built-in-policies/policyDefinitions/Azure Government/Kubernetes/ContainerRestrictedImagePulls.json

@@ -1,15 +1,14 @@
 {
   "properties": {
-    "displayName": "[Preview]: Kubernetes cluster containers should only pull images when image pull secrets are present",
+    "displayName": "Kubernetes cluster containers should only pull images when image pull secrets are present",
     "policyType": "BuiltIn",
     "mode": "Microsoft.Kubernetes.Data",
     "description": "Restrict containers' image pulls to enforce the presence of ImagePullSecrets, ensuring secure and authorized access to images within a Kubernetes cluster",
     "metadata": {
-      "version": "1.1.0-preview",
-      "category": "Kubernetes",
-      "preview": true
+      "version": "1.1.1",
+      "category": "Kubernetes"
     },
-    "version": "1.1.0-preview",
+    "version": "1.1.1",
     "parameters": {
       "source": {
         "type": "String",
@@ -156,6 +155,7 @@
       }
     },
     "versions": [
+      "1.1.1",
       "1.1.0-PREVIEW",
       "1.0.0-PREVIEW"
     ]

built-in-policies/policyDefinitions/Azure Government/Kubernetes/ImagesDoNotUseLatest.json

@@ -1,15 +1,14 @@
 {
   "properties": {
-    "displayName": "[Preview]: Kubernetes cluster container images should not include latest image tag",
+    "displayName": "Kubernetes cluster container images should not include latest image tag",
     "policyType": "BuiltIn",
     "mode": "Microsoft.Kubernetes.Data",
     "description": "Requires that container images do not use the latest tag in Kubernetes, it is a best practice to ensure reproducibility, prevent unintended updates, and facilitate easier debugging and rollbacks by using explicit and versioned container images.",
     "metadata": {
-      "version": "2.0.0-preview",
-      "category": "Kubernetes",
-      "preview": true
+      "version": "2.0.1",
+      "category": "Kubernetes"
     },
-    "version": "2.0.0-preview",
+    "version": "2.0.1",
     "parameters": {
       "source": {
         "type": "String",
@@ -152,6 +151,7 @@
       }
     },
     "versions": [
+      "2.0.1",
       "2.0.0-PREVIEW",
       "1.1.0-PREVIEW",
       "1.0.0-PREVIEW"

built-in-policies/policyDefinitions/Azure Government/Kubernetes/MustHaveAntiAffinityRulesSet.json

@@ -1,15 +1,14 @@
 {
   "properties": {
-    "displayName": "[Preview]: Must Have Anti Affinity Rules or Topology Spread Constraints Set",
+    "displayName": "Must Have Anti Affinity Rules or Topology Spread Constraints Set",
     "policyType": "BuiltIn",
     "mode": "Microsoft.Kubernetes.Data",
     "description": "This policy ensures that pods are scheduled on different nodes within the cluster. By enforcing anti-affinity rules or pod topology spread constraints, availability is maintained even if one of the nodes becomes unavailable. Pods will continue to run on other nodes, enhancing resilience.",
     "metadata": {
-      "version": "1.1.1-preview",
-      "category": "Kubernetes",
-      "preview": true
+      "version": "1.1.2",
+      "category": "Kubernetes"
     },
-    "version": "1.1.1-preview",
+    "version": "1.1.2",
     "parameters": {
       "source": {
         "type": "String",
@@ -155,8 +154,8 @@
       }
     },
     "versions": [
+      "1.1.2",
       "1.1.1-PREVIEW",
-      "1.1.0-PREVIEW",
       "1.0.2-PREVIEW",
       "1.0.1-PREVIEW"
     ]

built-in-policies/policyDefinitions/Azure Government/Kubernetes/MutateMaxUnavailablePods.json

@@ -1,15 +1,14 @@
 {
   "properties": {
-    "displayName": "[Preview]: Sets maxUnavailable pods to 1 for PodDisruptionBudget resources",
+    "displayName": "Sets maxUnavailable pods to 1 for PodDisruptionBudget resources",
     "policyType": "BuiltIn",
     "mode": "Microsoft.Kubernetes.Data",
     "description": "Setting your max unavailable pod value to 1 ensures that your application or service is available during a disruption",
     "metadata": {
-      "version": "1.2.0-preview",
-      "category": "Kubernetes",
-      "preview": true
+      "version": "1.2.1",
+      "category": "Kubernetes"
     },
-    "version": "1.2.0-preview",
+    "version": "1.2.1",
     "parameters": {
       "source": {
         "type": "String",
@@ -68,6 +67,7 @@
       }
     },
     "versions": [
+      "1.2.1",
       "1.2.0-PREVIEW",
       "1.1.0-PREVIEW",
       "1.0.0-PREVIEW"

built-in-policies/policyDefinitions/Azure Government/Kubernetes/MutateReadOnlyRootFilesystem.json

@@ -1,15 +1,14 @@
 {
   "properties": {
-    "displayName": "[Preview]: Sets readOnlyRootFileSystem in the Pod spec to true if it is not set.",
+    "displayName": "Sets readOnlyRootFileSystem in the Pod spec to true if it is not set.",
     "policyType": "BuiltIn",
     "mode": "Microsoft.Kubernetes.Data",
     "description": "Setting readOnlyRootFileSystem to true increases security by preventing containers from writing into the root filesystem",
     "metadata": {
-      "version": "1.2.0-preview",
-      "category": "Kubernetes",
-      "preview": true
+      "version": "1.2.1",
+      "category": "Kubernetes"
     },
-    "version": "1.2.0-preview",
+    "version": "1.2.1",
     "parameters": {
       "source": {
         "type": "String",
@@ -68,6 +67,7 @@
       }
     },
     "versions": [
+      "1.2.1",
       "1.2.0-PREVIEW",
       "1.1.0-PREVIEW",
       "1.0.0-PREVIEW"

built-in-policies/policyDefinitions/Azure Government/Kubernetes/MutateReadOnlyRootFilesystemInitContainers.json

@@ -1,15 +1,14 @@
 {
   "properties": {
-    "displayName": "[Preview]: Sets readOnlyRootFileSystem in the Pod spec in init containers to true if it is not set.",
+    "displayName": "Sets readOnlyRootFileSystem in the Pod spec in init containers to true if it is not set.",
     "policyType": "BuiltIn",
     "mode": "Microsoft.Kubernetes.Data",
     "description": "Setting readOnlyRootFileSystem to true increases security by preventing containers from writing into the root filesystem. This works only for linux containers.",
     "metadata": {
-      "version": "1.2.0-preview",
-      "category": "Kubernetes",
-      "preview": true
+      "version": "1.2.1",
+      "category": "Kubernetes"
     },
-    "version": "1.2.0-preview",
+    "version": "1.2.1",
     "parameters": {
       "source": {
         "type": "String",
@@ -68,6 +67,7 @@
       }
     },
     "versions": [
+      "1.2.1",
       "1.2.0-PREVIEW",
       "1.1.0-PREVIEW",
       "1.0.0-PREVIEW"